For example, to ensure sufficient authorization or authentication, the OWASP recommends a review of password policy for various interfaces and separation of roles determining access rights to available application features. Testers can validate these issues by identifying instances of weak passwords, conducting brute-force attacks against usernames, reviewing access controls and testing for privilege escalation.

Another top issue is insecure software or firmware. It arises when updates are delivered on unprotected network connections, or when the software or firmware contains hardcoded sensitive data such as credentials. Although easy to discover, a software or firmware compromise can lead to loss of user data, loss of control over the IoT device, and attacks against other devices.

Bank-grade services

To establish rigorous application security, i-Sprint Innovations – which provides identity, credentials and access management solutions – is building on the stringent requirements and standards in the banking and finance sector to provide security administration, authentication, authorization and audit (4A) services to business applications.

i-Sprint’s comprehensive AccessMatrix Universal Access Management (UAM) system provides those services and is geared to address the issues identified by OWASP. The system’s web single sign-on (SSO); federated SSO; externalized authorization management; and hierarchy-based delegated administration tap on a built-in common set of identity and access management services for custom enterprise and internet applications.

Externalized authorization: Built-in role-based access control for users and groups, and mapping of different user IDs in different applications to a unique SSO ID, help in migration of existing applications to UAM. Native integration of the AccessMatrix Security Server with external user stores such as LDAP and Active Directory via LDAP protocol or JDBC alleviates the need to synchronize user information or change schemas.

IoT foundation

So, before IoT creates new online security risks, rigorous application security is a must-have for enterprises and government agencies to deliver secure mission-critical services to their stakeholders and protect their personal information.

Organizations like an inland revenue authority or a growing financial institution constantly review the resilience of their digital services against evolving web and application security threats.

In Singapore, a Civil Service College case study on the Inland Revenue Authority (IRAS) cited a comment by latter’s deputy commissioner James Khor last year: “If taxpayers can self-help, what we offer is easy, simple, and reliable e-services. Our website is simple to navigate, the information is authoritative, up-to-date, and you can rely on it to fulfill your tax obligations.”

Internet banking is another area where rigorous application security is particularly critical, not only to replace legacy client-server systems but also to comply or exceed security guidelines outlined by the central bank or monetary authority.

McKinsey’s Digital Banking in Asia report suggests as much: Asian banks are recognizing that cybersecurity must be treated as a core business function. This is corroborated by a study by McKinsey and the World Economic Forum where 80% of global banking IT executives believe that the risk of cyberattack is a significant issue that could have major strategic implications.

Coupled with externalized authorization and extensible authentication, UAM paves the way for banks and other organizations to do more than provide secure services through mobile and internet channels.

As McKinsey’s Digital Banking in Asia authors point out, “For some banks, integrated multichannel access will become a core feature of their value proposition, including a light physical presence and agents to enhance the customer experience, as well as to promote trust and branding.”